Closed
Bug 1425267
(CVE-2018-5113)
Opened 7 years ago
Closed 7 years ago
browser.identity.launchWebAuthFlow can open privileged pages
Categories
(WebExtensions :: General, defect)
Tracking
(firefox-esr52 unaffected, firefox59 fixed)
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox59 | --- | fixed |
People
(Reporter: qab, Assigned: mixedpuppy)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-main58+][post-critsmash-triage])
Attachments
(2 files)
|
4.03 KB,
application/x-zip-compressed
|
Details | |
|
2.76 KB,
patch
|
rpl
:
review+
gchang
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Steps to reproduce:
1. Unpack attached PoC addon
2. Go to about:debugging and temporarily load the unpacked addon
3. 'about:addons' is opened in new window
Actual results:
browser.identity.launchWebAuthFlow does not check whether the passed URL is http/s only. We can open privileged about: pages as well as file: urls.
Expected results:
It should only open http/s (maybe other) URI schemes.
|
||
Comment 1•7 years ago
|
||
Shane, given bug 1305421, I guess you know about this?
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: General
Flags: needinfo?(mixedpuppy)
Product: Firefox → Toolkit
|
||
Comment 3•7 years ago
|
||
Redirecting back to Shane which is already looking into this.
Flags: needinfo?(lgreco) → needinfo?(mixedpuppy)
|
Assignee | |
Comment 4•7 years ago
|
||
Assignee: nobody → mixedpuppy
Flags: needinfo?(mixedpuppy)
Attachment #8938122 -
Flags: review?(lgreco)
|
|
||
Updated•7 years ago
|
Attachment #8938122 -
Flags: review?(lgreco) → review+
|
|
Assignee | |
Comment 5•7 years ago
|
||
FYI I'm not certain this is any real security concern here. Extensions should get no more access to eg. about:addons opened this way than they would if a user opened a tab to it. Nonetheless, it is fixed.
|
Reporter | |
Comment 6•7 years ago
|
||
(In reply to Shane Caraveo (:mixedpuppy) from comment #5)
> FYI I'm not certain this is any real security concern here. Extensions
> should get no more access to eg. about:addons opened this way than they
> would if a user opened a tab to it. Nonetheless, it is fixed.
This bug alone is not that dangerous, like the only security issue I can think of is opening 'about:addons' as soon as a user drags a link pointing to an addon and then once its dropped it will attempt to install.
Another example is that I found an xss in one of the about: pages which alone is not exploitable due to having the victim type the url manually to open the effected about: page. But coupled with this bug the whole process is automated resulting in a sec-highISH security exploit.
So technically this bug is a sec-moderate issue ( https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#0 )
|
|
Reporter | |
Comment 7•7 years ago
|
||
The above URL should have a hash pointing to "CVE-2017-7816: WebExtensions can load about: URLs in extension UI" Not sure why it did that.
|
||
Updated•7 years ago
|
Keywords: sec-moderate
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4f3b8d311e4751dafc00d689c3bf07f17c15dd
Bug 1425267 fix url param schema for launchWebAuthFlow, r=rpl
|
|
Assignee | |
Comment 9•7 years ago
|
||
Comment on attachment 8938122 [details] [diff] [review]
fix url param schema for launchWebAuthFlow
Requesting now so this is not lost over the break.
Approval Request Comment
[Feature/Bug causing the regression]: identity api
[User impact if declined]: possible to open local urls
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: yes, see opening comment for str
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: no new code paths, just limiting api arguments via schema
[String changes made/needed]: none
Attachment #8938122 -
Flags: approval-mozilla-beta?
|
||
Comment 10•7 years ago
|
||
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8938122 [details] [diff] [review]
fix url param schema for launchWebAuthFlow
Fix a security issue which is possible to open local urls. Beta58+.
Attachment #8938122 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•7 years ago
|
status-firefox58:
--- → affected
|
|
||
Comment 12•7 years ago
|
||
| uplift | ||
|
||
Updated•7 years ago
|
status-firefox57:
--- → wontfix
status-firefox-esr52:
--- → unaffected
|
||
Updated•7 years ago
|
Whiteboard: [adv-main58+]
|
|
||
Updated•7 years ago
|
Alias: CVE-2018-5113
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Updated•7 years ago
|
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Group: toolkit-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•7 years ago
|
Product: Toolkit → WebExtensions
|
|
||
Updated•6 years ago
|
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•